By David Klein and Julie Klein.
November 10, 2022
A typical visit to virtually any website, retail or otherwise, automatically prompts a mini pop-up query in the form of a chatbot or similar technology.
Users are invited to engage with the chatbot to submit questions, navigate the ordering process and conduct any number of other digital interactions.
What users may not realize is that this technology has the potential to monitor, record and share a user’s website engagement and activity. And chatbots are not the only method by which website operators can monitor a user’s conduct online.
There is also something called session replay technology, which allows website owners to intercept and observe the way users interact with webpages, including observing and recording movements of a mouse, clicks, keystrokes, page and content views, as well as information inputted into websites by consumers.
What on earth does this have to do with wiretapping? To understand the complexities of this intersection, let’s briefly explore the history and purpose of the Wiretap Act.
The Wiretap Act: A Short History
The Federal Wiretap Act of 1968 has undergone transformation over the years to keep pace with evolving technology.
Originally, the act was intended to regulate the “interception of conversations using ‘hard’ telephone lines, but did not apply to interception of computer and other digital and electronic communications.”[1]
To address these shortcomings, and to update the act, Congress passed the Electronic Communications Privacy Act of 1986, which incorporates the Stored Communications Act. Collectively, these regulations are commonly referred to today as the Wiretap Act.
In effect, the ECPA prohibits the intentional actual or attempted interception, use, disclosure or “procure[ment] [of] any other person to intercept or endeavor to intercept any wire, oral, or electronic communication.”[2]
Understanding that the ECPA is intended to regulate and protect a user’s privacy in an electronic communication, it seems inevitable now that website recording technologies would be the subject of wiretapping allegations.
State Data Privacy Laws
States across the country are enacting and strengthening existing consumer data privacy laws.
According to the National Conference of State Legislatures, “[a]t least 35 states and the District of Columbia … introduced or considered almost 200 consumer privacy bills in 2022.”[3] As of this writing, the following five states have enacted comprehensive data privacy laws:
- The California Consumer Privacy Act of 2018[4] and the California Consumer Privacy Rights Act;[5]
- The Colorado Privacy Act, which will become effective July 1;[6]
- The Connecticut Personal Data Privacy and Online Monitoring, which will become effective July 1;[7]
- The Virginia Consumer Data Protection Act, which will become effective Jan. 1;[8] and
- The Utah Consumer Privacy Act, which will become effective Dec. 31, 2023.[9]
- Comprehensive data privacy laws typically, “regulate the collection, use and disclosure of personal information by businesses and provide an express set of consumer rights for collected data, such as the right to access, correct and delete personal information collected by businesses.”[10]Combine the protections afforded by the ECPA, with ever-expanding consumer data privacy laws, and you have innovative technology-related grounds for claims against website operators.What Does This Mean for Website Operators?As we mentioned, the legislative climate and trend in the U.S. is focused increasingly on the protection of consumer data.Add to this the ubiquitous use of website recordation technology, and you have a hotbed for privacy-related infringement lawsuits, unless website operators pay attention to and comply with ever-evolving regulations.In recent months, courts across the country have been called upon to interpret and decide whether the use of such technology is considered wiretapping in a variety of circumstances.For example, consider the use of chatbot technology, which is operated and provided by a third-party application provider and coded into any part of a retailer’s website. This technology has proliferated, in large part, because many customers find the use of chatbots
to be helpful in navigating their purchases online.
But are website chatbot users aware that their chats may be recorded and/or stored? What privacy rights do consumers have when accessing and interacting with websites? Should website operators first obtain consent from consumers prior to implementing the use of such technology?
These are all pertinent questions and, of course, the answers may vary depending on jurisdiction and the technology used.
Lawsuits Alleging Wiretapping Violations and Website Recordation Technology
Chatbot Technology
In the recent Miguel Licea v. Old Navy LLC case ,[11] the plaintiff brought an action in the U.S. District Court for the Central District of California against the large retailer, Old Navy, based on his use of chatbot technology on the company’s website.
The plaintiff alleged that he believed he was communicating with an actual Old Navy customer service representative when he conversed with a chatbot, which was provided by a third party, PolSource Inc.
He further alleged that he was unaware that the chatbot program was recording and storing their entire conversation, and that Old Navy shared the contents of his conversation with PolSource.
Most importantly, the plaintiff alleges that Old Navy never disclosed that his chatbot conversation was being monitored, recorded, or shared, and his consent to such activity was never sought.
Based on these allegations, the plaintiff asked the court to order Old Navy to rectify practices that he believes constitute wiretapping in violation of the California Invasion of Privacy Act and to pay statutory damages amounting to $5,000 for each violation.
As we understand it, wiretapping allegations in the context of chatbot technology use is a relatively novel issue and one that may gain traction as the case — and similar actions — proceed through the courts.
The website operator, in this case Old Navy, probably could have prevented such allegations in the first instance by simply providing a clear and conspicuous website disclosure explaining that chatbot users would not be communicating with a live agent, and that conversations would be monitored, recorded and possibly transmitted by PolSource for Old Navy’s data collection purposes.
Session Replay Technology
We have also followed wiretapping lawsuits involving the use of session replay software.
In fact, in Javier v. Assurance IQ LLC,[12] the U.S. Court of Appeals for the Ninth
Circuit held, in a pivotal decision, that prior express consent must be obtained in order to legally record a user’s website visit — along with associated data inputs and clicks — through use of session replay technology.
Failure to do so poses the risk of violating Section 631(a) of the CIPA, commonly known as California’s wiretapping law. In Javier, the Ninth Circuit specifically held that retroactive consent does not satisfy the requirements of Section 631(a).
Due to an increase in copycat lawsuits, website owners using session replay technology would be well served to follow the rapidly evolving case elaw.
Similarly, in a recent class action captioned Kauffman v. Papa John’s International Inc. in the U.S. District Court for the Southern District of California,[13] the plaintiff and a proposed class of consumers are seeking damages and injunctive relief from the popular pizza chain Papa John’s for violations of the Federal Wiretap Act and the CIPA.
Specifically, the plaintiffs argue that defendant used, without authorization and without the plaintiffs’ knowledge or prior consent, session replay technology.
In so doing, the defendant was able to “contemporaneously intercept, capture, read, observe, re-route, forward, redirect, and receive the plaintiff’s and class members’ electronic communications.”
The plaintiffs allege that this technology enables Papa John’s to create a detailed profile of visitors to its site. The court has not yet ruled on these allegations.
Lesson Learned From Recent Lawsuits and Court Decisions
The main issue threaded through each of these actions is the matter of consumer consent.
Each plaintiff, or class of plaintiffs, alleged that they were unaware of the use of the subject technology and that it would result in the monitoring, recording, storing and possible sharing of their data.
Remember, the Ninth Circuit has explicitly held that prior consent must be obtained — retroactive consent is not sufficient.
While each jurisdiction may have varying data privacy regulations, website operators that use recordation technology are often interacting with consumers all over the country, in many different states.
Given the foregoing, the prudent approach would be to openly disclose that applicable websites use such technology and to obtain consumer consent prior to initiating chatbot interactions or triggering session replay technology.
Absent such notice and consent, website operators face the prospect of drawn-out litigation and potential multimillion-dollar penalties.
David Klein is a managing partner and Julie Klein is an associate at Klein Moynihan Turco LLP.
The opinions expressed are those of the author(s) and do not necessarily reflect the views of their employer, its clients, or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.
[1] https://bja.ojp.gov/program/it/privacy-civil-liberties/authorities/statutes/1285.
[2] https://bja.ojp.gov/program/it/privacy-civil-liberties/authorities/statutes/1285#general- provisions.
[3] https://www.ncsl.org/research/telecommunications-and-information-technology/2022- consumer-privacy-legislation.aspx.
[4] Cal. Civ. Code §§ 1798.100 et seq.
[5] Proposition 24, https://vig.cdn.sos.ca.gov/2020/general/pdf/topl-prop24.pdf.
[6] https://leg.colorado.gov/sites/default/files/2021a_190_signed.pdf.
[7] https://www.cga.ct.gov/2022/amd/S/pdf/2022SB-00006-R00SA-AMD.pdf.
[8] https://lis.virginia.gov/cgi-bin/legp604.exe?ses=212&typ=bil&val=Hb2307.
[9] https://le.utah.gov/~2022/bills/static/SB0227.html.
[10] https://www.ncsl.org/research/telecommunications-and-information-technology/2022- consumer-privacy-legislation.aspx.
[11] https://dockets.justia.com/docket/california/cacdce/5:2022cv01413/859675.
[12] https://cdn.ca9.uscourts.gov/datastore/memoranda/2022/05/31/21-16351.pdf.
[13] https://www.classaction.org/media/kauffman-v-papa-johns-international-inc.pdf.
Photo by Adi Goldstein on Unsplash
